Hey Guys
Very new to Splunk. I want to do the following
1) Install Splunk on Docker on my NAS (Have the basic one done I believe)
2) Forward my DD-WRT router logs to syslog-ng (?) or straight to splunk? I saw a addon, installed it but no data obviously to ingest.
3) Have other docker containers running on NAS - forward their logs to splunk?
Now
1) Do I need Splunk Forwarder docker setup as well?
2) How do I setup Router logs to be sent to forwarder and then to splunk?
3) Or do I install syslog-ng (any knowhow ? ) and then send logs to that and then how will splunk get it?
4) How do I get logs from other containers into splunk?
New to this and want to do a home setup with centralized monitoring on Splunk
Thanks.. I setup syslog-ng but nothing is coming to 514 port. I tried various commands to send a test message but syslog ain't recording it (can't see anything on disk). Need to figure that out first.
Thanks @FrankVI
Can we use splunk to listen to 514 and send logs there instead of using rsyslog / syslog-ng? Something like http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Monitornetworkports
Or is there an advantage of using a separate syslog?
Yes you can do that as well. It is typically not recommended (as you will have data loss during splunk restarts for one reason), so I kept my setup closer to best practice. But if you want to keep things simple, and are not worried about reliability that much for home use, a network input can also work.
Not too familiar with Docker, but I do have a somewhat similar use case at home, so let me outline how I solved that. It doesn't use Docker, but hopefully that still provides some pointers that you can use to answer some of your questions.
I have a linux VM running in Virtual Box on an Intel NUC. On this VM I have a syslog daemon (rsyslog in my case, but syslog-ng would also work) as well as a single instance Splunk Enterprise installation.
My router (and some other devices) send their syslog to the rsyslog daemon on the VM, rsyslog writes it to disk and Splunk is configured with file monitor inputs to pick it up from there.
To take a stab at your questions:
1: No, I don't think so. I don't see what that would add (apart from the educational purpose of working with a separate forwarder instance).
2+3: I think a setup with a syslog daemon (potentially running in docker) receiving the data and writing to a location on disk that is accessible by your Splunk docker instance would be the way to go.
4: Have the processes running in those other containers write to a disk location that is shared with the Splunk Docker container, such that Splunk can monitor it.